39 lines
1.8 KiB
Plaintext
39 lines
1.8 KiB
Plaintext
# Trivy ignore file for development environment
|
|
# Format: CVE-ID or Misconfiguration ID
|
|
|
|
# ============================================================================
|
|
# k3s System Components (kube-system namespace)
|
|
# ============================================================================
|
|
# These components are managed by k3s and follow k3s design decisions.
|
|
# Manual modifications would be overwritten during k3s upgrades.
|
|
|
|
# AVD-KSV-0024: svclb-traefik uses hostPorts by design
|
|
# This is how k3s ServiceLB works - it binds to host ports 80/443
|
|
# Cannot be changed without replacing the entire ServiceLB implementation
|
|
AVD-KSV-0024
|
|
|
|
# AVD-KSV-0014: readOnlyRootFilesystem not set
|
|
# Many k3s components need write access for proper operation
|
|
# (logs, temp files, state management)
|
|
# Acceptable for trusted system components in development environment
|
|
AVD-KSV-0014
|
|
|
|
# AVD-KSV-0118: Default securityContext usage
|
|
# k3s components use default security context for compatibility
|
|
# and resource efficiency. Acceptable for development environments.
|
|
# In production, consider hardened Kubernetes distributions.
|
|
AVD-KSV-0118
|
|
|
|
# ============================================================================
|
|
# Longhorn Storage System
|
|
# ============================================================================
|
|
# Longhorn requires extensive permissions for volume management operations
|
|
# These are expected and necessary for storage orchestration
|
|
|
|
# ============================================================================
|
|
# Kubernetes RBAC Core Components
|
|
# ============================================================================
|
|
# system:kube-controller-manager needs cluster-wide permissions
|
|
# system:kube-scheduler needs cluster-wide permissions
|
|
# These are standard Kubernetes architecture requirements
|